On Fri, 2010-11-26 at 20:55 +1100, Russell Coker wrote: > I'm having a problem with optional policy not being used when I think it > should. > > Is it possible to use apol to get information on optional policy for .pp files > so I can try to work out why it doesn't get enabled? > > unconfined_run_to(depmod_t, depmod_exec_t) > > In the Debian policy I have the above in an optional section of base.pp but > for reasons that I don't understand it's not being loaded (both tests and > running apol on policy.24 show this). > > I've inspected the contents of base.conf and they appear to be OK. > > Any suggestions of other tools to analyse this will be appreciated. > I have a policy compiler written in Lua that I used in the past to experiment with language extensions and that I am currently working towards being able to convert Refpolicy to CIL. It is not industrial strength and not friendly to anyone except its creator, but it does display more error messages. Running it on the policy in selinux-policy-src_0.2.20100524-4_all.deb I found the following: Same paramater used as a role and a type: - Line 69 in ../debian_policy/policy/modules/apps/seunshare.if Undefined macro calls: - samba_run_smb at Line 180 in ../debian_policy/policy/modules/apps/qemu.if - macro userdom_unpriv_usertype at Line 103 in ../debian_policy/policy/modules/apps/wine.if - file_type_auto_trans at Line 308 in ../debian_policy/policy/modules/system/ipsec.te Types used as an alias: - procmail_t at Line 10 in ../debian_policy/policy/modules/services/lda.te - procmail_exec_t at Line 12 in ../debian_policy/policy/modules/services/lda.te - procmail_tmp_t at Line 17 in ../debian_policy/policy/modules/services/lda.te Types not declared: - httpd_nagios_script_exec_t - httpd_cobbler_script_exec_t - httpd_smokeping_cgi_script_exec_t - httpd_nutups_cgi_script_exec_t - lsassd_t - dkim_var_run_t - dkim_t I believe that some of these errors are also in Refpolicy. I don't see anything related to your problem here. I've attached the current version of my compiler. Unfortunately, it treats Refpolicy pre m4 expansion as the policy language, so I need to patch a few things in the policy to make it work. So apply the attached patch and then run something like the following: ./fpp.lua -p ../debian_policy/ > policy.conf -- James Carter <jwcart2@xxxxxxxxxxxxx> National Security Agency
diff -ur debian_policy_orig/policy/constraints debian_policy/policy/constraints
--- debian_policy_orig/policy/constraints 2010-07-25 21:22:24.000000000 -0400
+++ debian_policy/policy/constraints 2010-11-29 10:51:16.000000000 -0500
@@ -25,21 +25,15 @@
# name_list : name | name_list name
#
-define(`basic_ubac_conditions',`
- ifdef(`enable_ubac',`
- u1 == u2
- or u1 == system_u or u1 == unconfined_u
- or u2 == system_u
- or t1 != ubac_constrained_type
- or t2 != ubac_constrained_type
- ')
-')
-
define(`basic_ubac_constraint',`
ifdef(`enable_ubac',`
constrain $1 all_$1_perms
(
- basic_ubac_conditions
+ u1 == u2
+ or u1 == system_u or u1 == unconfined_u
+ or u2 == system_u
+ or t1 != ubac_constrained_type
+ or t2 != ubac_constrained_type
);
')
')
@@ -48,7 +42,11 @@
ifdef(`enable_ubac',`
constrain $1 all_$1_perms
(
- basic_ubac_conditions
+ u1 == u2
+ or u1 == system_u or u1 == unconfined_u
+ or u2 == system_u
+ or t1 != ubac_constrained_type
+ or t2 != ubac_constrained_type
or t1 == $2
);
')
@@ -82,7 +80,11 @@
ifdef(`enable_ubac',`
constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
(
- basic_ubac_conditions
+ u1 == u2
+ or u1 == system_u or u1 == unconfined_u
+ or u2 == system_u
+ or t1 != ubac_constrained_type
+ or t2 != ubac_constrained_type
or t1 == ubacproc
);
')
@@ -241,5 +243,4 @@
undefine(`basic_ubac_constraint')
-undefine(`basic_ubac_conditions')
undefine(`exempted_ubac_constraint')
diff -ur debian_policy_orig/policy/mcs debian_policy/policy/mcs
--- debian_policy_orig/policy/mcs 2010-07-25 21:22:38.000000000 -0400
+++ debian_policy/policy/mcs 2010-11-29 10:57:14.000000000 -0500
@@ -71,18 +71,20 @@
mlsconstrain file { read ioctl lock execute execute_no_trans }
(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
-mlsconstrain file { write setattr append link rename }
ifdef(`distro_debian', `
- ((( h1 dom h2 ) and ( l1 domby l2 )) or ( t1 == mcswriteall ) or (t2 == mcstrustedobject) or ( t2 == domain ));
+ mlsconstrain file { write setattr append link rename }
+ ((( h1 dom h2 ) and ( l1 domby l2 )) or ( t1 == mcswriteall ) or (t2 == mcstrustedobject) or ( t2 == domain ));
', `
+ mlsconstrain file { write setattr append link rename }
(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
')
-mlsconstrain file { unlink }
ifdef(`distro_debian', `
- ((( h1 dom h2 ) and ( l1 domby l2 )) or (( t1 == mcswriteall ) or ( t1 == mcsdeleteall )) or (t2 == mcstrustedobject) or ( t2 == domain ));
+ mlsconstrain file { unlink }
+ ((( h1 dom h2 ) and ( l1 domby l2 )) or (( t1 == mcswriteall ) or ( t1 == mcsdeleteall )) or (t2 == mcstrustedobject) or ( t2 == domain ));
', `
- (( h1 dom h2 ) or (( t1 == mcswriteall ) or ( t1 == mcsdeleteall )) or ( t2 == domain ));
+ mlsconstrain file { unlink }
+ (( h1 dom h2 ) or (( t1 == mcswriteall ) or ( t1 == mcsdeleteall )) or ( t2 == domain ));
')
mlsconstrain dir { search read ioctl lock }
@@ -96,12 +98,12 @@
# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
-mlsconstrain file { create relabelto }
ifdef(`distro_debian', `
- (( h1 dom h2 ) and ( l2 eq h2 ) and
- ((l1 domby l2) or (t2 == mcstrustedobject)));
+ mlsconstrain file { create relabelto }
+ (( h1 dom h2 ) and ( l2 eq h2 ) and ((l1 domby l2) or (t2 == mcstrustedobject)));
', `
- (( h1 dom h2 ) and ( l2 eq h2 ));
+ mlsconstrain file { create relabelto }
+ (( h1 dom h2 ) and ( l2 eq h2 ));
')
# new file labels must be dominated by the relabeling subject clearance
@@ -112,19 +114,22 @@
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
(( h1 dom h2 ) and ( l2 eq h2 ));
-mlsconstrain process { transition dyntransition }
ifdef(`distro_debian', `
- (( ( h1 dom h2 ) and ((l1 domby l2) or (t1 == mcssetlow)) ) or ( t1 == mcssetcats ));
+ mlsconstrain process { transition dyntransition }
+ (( ( h1 dom h2 ) and ((l1 domby l2) or (t1 == mcssetlow)) ) or ( t1 == mcssetcats ));
', `
- (( h1 dom h2 ) or ( t1 == mcssetcats ));
+ mlsconstrain process { transition dyntransition }
+ (( h1 dom h2 ) or ( t1 == mcssetcats ));
')
-mlsconstrain process { ptrace }
+
ifdef(`distro_debian', `
- ( (h1 dom h2) and ((l1 domby l2) or ( t1 == mcsptraceall )) );
+ mlsconstrain process { ptrace }
+ ((h1 dom h2) and ((l1 domby l2) or ( t1 == mcsptraceall )) );
', `
- (( h1 dom h2) or ( t1 == mcsptraceall ));
+ mlsconstrain process { ptrace }
+ (( h1 dom h2) or ( t1 == mcsptraceall ));
')
mlsconstrain process { sigkill sigstop }
diff -ur debian_policy_orig/policy/modules/kernel/files.if debian_policy/policy/modules/kernel/files.if
--- debian_policy_orig/policy/modules/kernel/files.if 2010-07-25 21:22:38.000000000 -0400
+++ debian_policy/policy/modules/kernel/files.if 2010-11-29 10:37:03.000000000 -0500
@@ -709,7 +709,7 @@
attribute file_type;
')
- allow $1 { file_type $2 }:dir list_dir_perms;
+ allow $1 { file_type - $2 }:dir list_dir_perms;
')
########################################
@@ -734,7 +734,7 @@
attribute file_type;
')
- read_files_pattern($1, { file_type $2 }, { file_type $2 })
+ read_files_pattern($1, { file_type - $2 }, { file_type - $2 })
')
########################################
@@ -759,7 +759,7 @@
attribute file_type;
')
- read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
+ read_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
')
########################################
@@ -1046,6 +1046,35 @@
########################################
## <summary>
+## Relabel all files on the filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the domain perfoming this action.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type : dir list_dir_perms;
+ relabel_dirs_pattern($1, file_type, file_type)
+ relabel_files_pattern($1, file_type, file_type)
+ relabel_lnk_files_pattern($1, file_type, file_type)
+ relabel_fifo_files_pattern($1, file_type, file_type)
+ relabel_sock_files_pattern($1, file_type, file_type)
+ relabelfrom_blk_files_pattern($1, file_type, file_type)
+ relabelfrom_chr_files_pattern($1, file_type, file_type)
+
+ # satisfy the assertions:
+ seutil_relabelto_bin_policy($1)
+')
+
+########################################
+## <summary>
## Relabel all files on the filesystem, except
## the listed exceptions.
## </summary>
@@ -1062,21 +1091,21 @@
## </param>
## <rolecap/>
#
-interface(`files_relabel_all_files',`
+interface(`files_relabel_all_files_except',`
gen_require(`
attribute file_type;
')
- allow $1 { file_type $2 }:dir list_dir_perms;
- relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
- relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
- relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
- relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
- relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
+ allow $1 { file_type - $2 }:dir list_dir_perms;
+ relabel_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
+ relabel_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+ relabel_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+ relabel_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+ relabel_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
# this is only relabelfrom since there should be no
# device nodes with file types.
- relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
- relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabelfrom_blk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+ relabelfrom_chr_files_pattern($1, { file_type - $2 }, { file_type - $2 })
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
@@ -1110,6 +1139,33 @@
########################################
## <summary>
+## Manage all files on the filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the domain perfoming this action.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ manage_dirs_pattern($1, file_type, file_type)
+ manage_files_pattern($1, file_type, file_type)
+ manage_lnk_files_pattern($1, file_type, file_type)
+ manage_fifo_files_pattern($1, file_type, file_type)
+ manage_sock_files_pattern($1, file_type, file_type)
+
+ # satisfy the assertions:
+ seutil_create_bin_policy($1)
+ files_manage_kernel_modules($1)
+')
+
+########################################
+## <summary>
## Manage all files on the filesystem, except
## the listed exceptions.
## </summary>
@@ -1126,16 +1182,16 @@
## </param>
## <rolecap/>
#
-interface(`files_manage_all_files',`
+interface(`files_manage_all_files_except',`
gen_require(`
attribute file_type;
')
- manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
- manage_files_pattern($1, { file_type $2 }, { file_type $2 })
- manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
- manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
- manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
+ manage_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
+ manage_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+ manage_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+ manage_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+ manage_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
# satisfy the assertions:
seutil_create_bin_policy($1)
Only in debian_policy/policy/modules/kernel: files.if.orig
diff -ur debian_policy_orig/policy/modules/kernel/selinux.if debian_policy/policy/modules/kernel/selinux.if
--- debian_policy_orig/policy/modules/kernel/selinux.if 2010-07-25 21:22:38.000000000 -0400
+++ debian_policy/policy/modules/kernel/selinux.if 2010-11-29 10:37:19.000000000 -0500
@@ -40,7 +40,7 @@
# because of this statement, any module which
# calls this interface must be in the base module:
- genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
+ #genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
')
########################################
diff -ur debian_policy_orig/policy/modules/services/nx.te debian_policy/policy/modules/services/nx.te
--- debian_policy_orig/policy/modules/services/nx.te 2010-07-25 21:22:34.000000000 -0400
+++ debian_policy/policy/modules/services/nx.te 2010-11-29 10:37:32.000000000 -0500
@@ -13,6 +13,7 @@
domain_user_exemption_target(nx_server_t)
# we need an extra role because nxserver is called from sshd
# cjp: do we really need this?
+role nx_server_r;
role nx_server_r types nx_server_t;
allow system_r nx_server_r;
Only in debian_policy/policy/modules/services: nx.te.orig
diff -ur debian_policy_orig/policy/modules/system/authlogin.if debian_policy/policy/modules/system/authlogin.if
--- debian_policy_orig/policy/modules/system/authlogin.if 2010-07-25 21:22:38.000000000 -0400
+++ debian_policy/policy/modules/system/authlogin.if 2010-11-29 10:37:03.000000000 -0500
@@ -1113,7 +1113,7 @@
type shadow_t;
')
- files_read_all_dirs_except($1,$2 -shadow_t)
+ files_read_all_dirs_except($1, shadow_t)
')
########################################
@@ -1139,7 +1139,7 @@
type shadow_t;
')
- files_read_all_files_except($1,$2 -shadow_t)
+ files_read_all_files_except($1, shadow_t)
')
########################################
@@ -1164,7 +1164,7 @@
type shadow_t;
')
- files_read_all_symlinks_except($1,$2 -shadow_t)
+ files_read_all_symlinks_except($1, shadow_t)
')
########################################
@@ -1190,7 +1190,7 @@
type shadow_t;
')
- files_relabel_all_files($1,$2 -shadow_t)
+ files_relabel_all_files_except($1, shadow_t)
')
########################################
@@ -1242,7 +1242,7 @@
type shadow_t;
')
- files_manage_all_files($1,$2 -shadow_t)
+ files_manage_all_files_except($1, shadow_t)
')
########################################
diff -ur debian_policy_orig/policy/support/misc_macros.spt debian_policy/policy/support/misc_macros.spt
--- debian_policy_orig/policy/support/misc_macros.spt 2010-07-25 21:22:24.000000000 -0400
+++ debian_policy/policy/support/misc_macros.spt 2010-11-29 10:36:35.000000000 -0500
@@ -65,12 +65,6 @@
########################################
#
-# can_exec(domain,executable)
-#
-define(`can_exec',`allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };')
-
-########################################
-#
# gen_bool(name,default_value)
#
define(`gen_bool',`
diff -ur debian_policy_orig/policy/support/misc_patterns.spt debian_policy/policy/support/misc_patterns.spt
--- debian_policy_orig/policy/support/misc_patterns.spt 2010-07-25 21:22:24.000000000 -0400
+++ debian_policy/policy/support/misc_patterns.spt 2010-11-29 10:36:35.000000000 -0500
@@ -62,3 +62,9 @@
allow $1 $2:lnk_file read_lnk_file_perms;
allow $1 $2:process getattr;
')
+
+########################################
+#
+# can_exec(domain,executable)
+#
+define(`can_exec',`allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };')
diff -ur debian_policy_orig/policy/users debian_policy/policy/users
--- debian_policy_orig/policy/users 2010-07-25 21:22:24.000000000 -0400
+++ debian_policy/policy/users 2010-11-29 10:42:46.000000000 -0500
@@ -15,7 +15,7 @@
# and a user process should never be assigned the system user
# identity.
#
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+#gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
@@ -24,12 +24,12 @@
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
-gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+#gen_user(user_u, user, user_r, s0, s0)
+#gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+#gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# Until order dependence is fixed for users:
-gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+#gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
@@ -38,8 +38,47 @@
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
-ifdef(`direct_sysadm_daemon',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+#ifdef(`direct_sysadm_daemon',`
+ #gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+#',`
+ #gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+#')
+
+ifdef(`enable_mls',`
+ user system_u roles system_r level s0 range s0 - mls_systemhigh;
+ user user_u roles user_r level s0 range s0;
+ user staff_u roles { staff_r sysadm_r secadm_r auditadm_r } level s0 range s0 - mls_systemhigh;
+ user sysadm_u roles sysadm_r level s0 range s0 - mls_systemhigh;
+ user unconfined_u roles unconfined_r level s0 range s0 - mls_systemhigh;
+ ifdef(`direct_sysadm_daemon',`
+ user root roles { sysadm_r staff_r secadm_r auditadm_r system_r } level s0 range s0 - mls_systemhigh;
+ ',`
+ user root roles { sysadm_r staff_r secadm_r auditadm_r } level s0 range s0 - mls_systemhigh;
+ ')
',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+ ifdef(`enable_mcs',`
+ user system_u roles system_r level s0 range s0 - s0:mcs_allcats;
+ user user_u roles user_r level s0 range s0;
+ user staff_u roles { staff_r sysadm_r } level s0 range s0 - s0:mcs_allcats;
+ user sysadm_u roles sysadm_r level s0 range s0 - s0:mcs_allcats;
+ user unconfined_u roles unconfined_r level s0 range s0 - s0:mcs_allcats;
+ ifdef(`direct_sysadm_daemon',`
+ user root roles { sysadm_r staff_r system_r } level s0 range s0 - s0:mcs_allcats;
+ ',`
+ user root roles { sysadm_r staff_r } level s0 range s0 - s0:mcs_allcats;
+ ')
+ ',`
+ # No MLS
+ # Not supporting MCS
+ user system_u roles system_r;
+ user user_u roles user_r;
+ user staff_u roles { staff_r sysadm_r };
+ user sysadm_u roles sysadm_r;
+ user unconfined_u roles unconfined_r;
+ ifdef(`direct_sysadm_daemon',`
+ user root roles { sysadm_r staff_r system_r };
+ ',`
+ user root roles { sysadm_r staff_r };
+ ')
+ ')
+ ')
Attachment:
fpp_20101130.tar.bz2
Description: application/bzip-compressed-tar
